Configuring Failover

Understanding Failover

The Failover panel contains the settings for configuring failover on the FWSM. However, the Failover panel changes depending upon whether you are in multiple mode or single mode, and when you are in multiple mode, it changes based on the security context you are in.

Failover allows you to configure two FWSMs so that one will take over operation if the other fails. Using a pair of FWSMs, you can provide high availability with no operator intervention. The FWSM communicates failover information over a dedicated failover link. The following information is communicated over the failover link:

•The failover state (active or standby).

•Hello messages (keep-alives).

•Network link status.

•Configuration replication.

Caution All information that is sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the FWSM is used to terminate VPN tunnels, this information includes any usernames, passwords, and preshared keys that are used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using the FWSM to terminate VPN tunnels.

The FWSM supports two types of failover, Active/Standby and Active/Active. Additionally, failover can be stateful or stateless. For more information about the types of failover, see the following topics:

Active/Standby Failover

In an Active/Standby configuration, the active FWSM processes all network traffic passing through the failover pair. The standby FWSM does not process network traffic until a failure occurs on the active FWSM. Whenever the configuration of the active FWSM changes, it sends configuration information over the failover link to the standby FWSM.

When a failover occurs, the standby FWSM becomes the active unit. It assumes the IP and MAC address of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC address, ARP entries do not change or time out anywhere on the network.

Active/Standby failover is available to FWSMs in single mode or multiple mode.

Active/Active Failover

In an Active/Active failover configuration, both FWSMs pass network traffic. Active/Active failover is only available to FWSMs in multiple context mode.

To enable Active/Active failover on the FWSM, you need to create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is simply a logical group of one or more security contexts. You can create two failover groups on the FWSM. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.

As in Active/Standby failover, each unit in an Active/Active failover pair is given a primary or secondary designation. Unlike Active/Standby failover, this designation does not indicate which unit is active when both units start simultaneously. Each failover group in the configuration is given a primary or secondary role preference. This preference determines on which unit in the failover pair the contexts in the failover group appear in the active state when both units start simultaneously. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.

Initial configuration synchronization occurs when one or both units start. This synchronization occurs as follows:

•When both units start simultaneously, the configuration is synchronized from the primary unit to the secondary unit.

•When one unit starts while the other unit is already active, the unit that is starting up receives the configuration from the already active unit.

After both units are running, commands are replicated from one unit to the other as follows:

•Commands that are entered within a security context are replicated from the unit on which the security context appears in the active state to the peer unit.

Note A context is considered in the active state on a unit if the failover group to which it belongs is in the active state on that unit.

•Commands that are entered in the system execution space are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state.

•Commands that are entered in the admin context are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state.

Failure to enter the commands on the appropriate unit for command replication to occur will cause the configurations to be out of synchronization. Those changes may be lost the next time the initial configuration synchronization occurs.

In an Active/Active failover configuration, failover occurs on a failover group basis, not a system basis. For example, if you designate both failover groups as active on the primary unit, and failover group 1 fails, failover group 2 remains active on the primary unit, while failover group 1 becomes active on the secondary unit.

Note When configuring Active/Active failover, make sure that the combined traffic for both units is within the capacity of each unit.

Stateless (Regular) Failover

Stateless failover is also referred to as regular failover. In stateless failover, all active connections are dropped when a failover occurs. Clients need to re-establish connections when the new active unit takes over.

Stateful Failover

When Stateful Failover is enabled, the active unit in the failover pair continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.

Note The IP address and MAC address for the state and LAN failover links do not change at failover.

To use Stateful Failover, you must configure a state link to pass all state information to the standby unit. You can use the same interface for the state link as the failover link. However, it is recommended that you use a dedicated interface for passing state information the standby unit.

The following information is passed to the standby unit when Stateful Failover is enabled:

•NAT translation table.

•TCP connection table (except for HTTP), including the timeout connection.

•HTTP connection states (if HTTP replication is enabled).

•H.323, SIP, and MGCP UDP media connections.

•The system clock.

•The ISAKMP and IPsec SA table.

•The user authentication (uauth) table.

The following information is not copied to the standby unit when Stateful Failover is enabled:

•HTTP connection table (unless HTTP replication is enabled).

•The ARP table.

•Routing tables.

Configuring Failover with the High Availability and Scalability Wizard

The High Availability and Scalability Wizard steps you through the process of creating an Active/Active or an Active/Standby failover configuration.

See the following topics for information about using the High Availability and Scalability Wizard:

Accessing and Using the High Availability and Scalability Wizard

To open the High Availability and Scalability Wizard, choose Wizards > High Availability and Scalability Wizard from the ASDM menu bar. The first screen of the wizard appears.

To move to the next screen of the wizard, click the Next button. You must complete the mandatory field of each screen before you can move to the next screen.

To move to a previous screen of the wizard, click the Back button. If information filled in on later screens of the wizard is not affected by the change you make to an earlier screen, that information remains on the screen as you move forward through the wizard again. You do not need to re-enter it.

To leave the wizard at any time without saving any changes, click Cancel.

To send your configuration to the FWSM at the end of the wizard, click Finish.

Configuring Active/Active Failover with the High Availability and Scalability Wizard

The following procedure provides a high-level overview for configuring Active/Active failover using the High Availability and Scalability Wizard. Each step in the procedure corresponds with a wizard screen. Click Next after completing each step, except for the last step, before moving to the next step. Each step also contains a reference to additional information that you may need to complete the step.

Step 2 Enter the IP address of the failover peer on the Check Failover Peer Connectivity and Compatibility screen. Click Test Compatibility. You will not be able to move to the next screen until all compatibility tests are passed.

Step 3 If the FWSM or the failover peer are in single context mode, change them to multiple context mode on the Change Device to Multiple Mode screen. When you change the FWSM to multiple context mode, it will reboot. ASDM automatically re-establishes communication with the FWSM when it has finished rebooting.

The failover configuration is sent to the FWSM and to the failover peer.

Configuring Active/Standby Failover with the High Availability and Scalability Wizard

The following procedure provides a high-level overview for configuring Active/Standby failover using the High Availability and Scalability Wizard. Each step in the procedure corresponds with a wizard screen. Click Next after completing each step, except for the last step, before moving to the next step. Each step also contains a reference to additional information that you may need to complete the step.

Step 2 Enter the IP address of the failover peer on the Check Failover Peer Connectivity and Compatibility screen. Click Test Compatibility. You will not be able to move to the next screen until all compatibility tests are passed.

The failover configuration is sent to the FWSM and to the failover peer.

Field Information for the High Availability and Scalability Wizard

The following dialogs are available in the High Availability and Scalability Wizard. You will not see every dialog box when you run through the wizard; each dialog box appears depending on the type of failover you are configuring.

•Configure VPN Cluster Load Balancing—Configures the FWSM to participate in VPN load balancing as part of a cluster.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

•

•

•

—

•

Failover Peer Connectivity and Compatibility Check

The Failover Peer Connectivity and Compatibility Check screen lets you verify that the selected failover peer is reachable and compatible with the current unit. If any of the connectivity and compatibility tests fail, you must correct the problem before you can proceed with the wizard.

Fields

•Peer IP Address—Enter the IP address of the peer unit. This address does not have to be the failover link address, but it must be an interface that has ASDM access enabled on it.

•Test Compatibility—Click this button to perform the following connectivity and compatibility tests:

–Connectivity test from this ASDM to the peer unit

–Connectivity test from this firewall device to the peer firewall device

–Hardware compatibility test

–Software version compatibility

–Failover license compatibility

–Firewall mode compatibility

Modes

The following table shows the modes in which this feature is available:

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

•

•

•

—

•

Change Device to Multiple Mode

The Change Device to Multiple Mode dialog box appears for Active/Active failover configuration only. Active/Active failover requires the FWSM to be in multiple context mode. This dialog box lets you convert a FWSM in single context mode to multiple context mode.

When you convert from single context mode to multiple context mode, the FWSM creates the system configuration and the admin context from the current running configuration. The admin context configuration is stored in the admin.cfg file. The conversion process does not save the previous startup configuration, so if the startup configuration differed from the running configuration, those differences are lost.

Converting the FWSM from single context mode to multiple context mode causes the FWSM to reboot. However the High Availability and Scalability Wizard restores connectivity with the newly created admin context and reports the status in the Devices Status field in this dialog box.

You need to convert both the current FWSM and the peer FWSM to multiple context mode before you can proceed.

Fields

•Change device To Multiple Context—Causes the FWSM to change to multiple context mode. device is the hostname of the FWSM.

•Change device (peer) To Multiple Context—Causes the peer unit to change to multiple context mode. device is the hostname of the FWSM.

•Device Status—(Display only) Displays the status of the FWSM while converting to multiple context mode.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

•

•

•

—

•

Security Context Configuration

The Security Context Configuration screen appears for Active/Active configuration only. The Security Context Configuration screen lets you assign security contexts to failover groups. It displays the security contexts that are currently configured on the device and lets you add new ones or remove existing ones as needed. Although you can create security contexts on this screen, you cannot assign interfaces to those contexts or configure any other properties for them. To configure context properties and assign interfaces to a context, you need to use the System > Security Contexts pane.

Fields

•Name—Displays the name of the security context. To change the name, click the name and type a new name.

•Failover Group—Displays the failover group the context is assigned to. To change the failover group for a security context, click the failover group and select the new failover group number from the drop-down list.

Modes

The following table shows the modes in which this feature is available:

Failover Link Configuration

•LAN Interface—Choose the interface to use for failover communication from the drop-down list.

•Logical Name—Type a name for the interface.

•Active IP—Type the IP address that is used for the failover link on the unit that has failover group 1 in the active state.

•Standby IP—Type the IP address that is used for the failover link on the unit that has failover group 1 in the standby state.

•Subnet Mask—Type or select a subnet mask for the Active IP and Standby IP addresses.

•Secret Key—(Optional) Enter the key that is used to encrypt failover communication. If this field is left blank, failover communication, including any passwords or keys in the configuration that is sent during command replication, is in clear text.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

•

•

•

—

•

State Link Configuration

The State Link Configuration lets you enable Stateful Failover and configure the Stateful Failover link properties.

Fields

•Use the LAN link as the State Link—Choose this option to pass state information across the LAN-based failover link.

•Configure another interface for Stateful Failover—Choose this option to configure an unused interface as the Stateful Failover interface.

–State Interface—Choose the interface that you want to use for Stateful Failover communication from the drop-down list.

–Logical Name—Type the name for the Stateful Failover interface.

–Active IP—Type the IP address for the Stateful Failover link on the unit that has failover group 1 in the active state.

–Standby IP—Type the IP address for the Stateful Failover link on the unit that has failover group 1 in the standby state.

–Subnet Mask—Type or select a subnet mask for the Active IP and Standby IP addresses.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

•

•

•

—

•

Standby Address Configuration

Use the Standby Address Configuration screen to assign standby addresses to the interface on the FWSM.

Fields

•Device/Interface—(Active/Standby failover) Displays the interfaces that are configured on the failover units. Click the plus sign (+) by a device name to displays the interfaces on that device. Click the minus sign (-) by a device name to hides the interfaces on that device.

•Device/Group/Context/Interface—(Active/Active failover) Displays the interfaces that are configured on the failover unit. The interfaces are grouped by context, and the contexts are grouped by failover group. Click the plus sign (+) by a device, failover group, or context name to expand the list. Click the minus sign (-) by a device, failover group, or context name to collapse the list.

•Active IP—Double-click this field to edit or add an active IP address. Changes to this field also appear in the Standby IP field for the corresponding interface on the peer unit.

•Standby IP—Double-click this field to edit or add a standby IP address. Changes to this field also appear in the Active IP field for the corresponding interface on the peer unit.

•Is Monitored—Check this check box to enable health monitoring for that interface. Uncheck the check box to disable the health monitoring. By default, health monitoring of physical interfaces is enabled and health monitoring of virtual interfaces is disabled.

•ASR Group—Select the asynchronous group ID from the drop-down list. This setting is only available for physical interface. For virtual interfaces, this field displays "None".

Modes

The following table shows the modes in which this feature is available:

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

•

•

•

—

•

Summary

The Summary screen displays the results of the configuration steps you performed in the previous wizard panels.

Fields

The configuration appears in the center of the screen. Verify your settings and click Finish to send your configuration to the device. If you are configuring failover, the configuration is also sent to the failover peer. If you need to change a setting, click Back until you reach the screen where you need to make the change. Make the change and click Next until you return to the Summary screen.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

•

•

•

—

•

Field Information for the Failover Panes

What displays on the failover pane depends upon the mode you are in (single or multiple context mode) and whether you are in the system execution space or in a security context.

Failover—Single Mode

The Failover panel contains the tabs where you can configure Active/Standby failover in single context mode. For more information about configuring the settings on each tab of the Failover panel, see the following information. Note that the Interfaces tabs changes based on whether you are in routed firewall mode or transparent firewall mode.

Note The speed and duplex settings for an interface cannot be changed when Failover is enabled. To change these settings for the failover interface, you must configure them in the Configuration > Interfaces panel before enabling failover.

•Use 32 hexadecimal character key—Select this check box to enter a hexadecimal value for the encryption key in the Shared Key box. Clear this check box to enter an alphanumeric shared secret in the Shared Key box.

•Shared Key—Specifies the failover shared secret or key for encrypted and authenticated communications between failover pairs.

If you selected the Use 32 hexadecimal character key check box, then enter a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9, a-f).

If you cleared the Use 32 hexadecimal character key check box, then enter an alphanumeric shared secret. The shared secret can be from 1 to 63 characters. Valid characters are any combination of numbers, letters, or punctuation. The shared secret is used to generate the encryption key.

•LAN Failover—Contains the fields for configuring LAN-based failover.

–Interface—Specifies the interface that is used for failover communication. Failover requires a dedicated interface, but you can use the same interface for Stateful Failover. The interface needs enough capacity to process both the LAN-based failover and Stateful Failover traffic.

Note We recommend that you use two separate, dedicated interfaces for the Failover interface and the Stateful Failover interface.

Only unconfigured interfaces or subinterfaces are displayed in this list and can be selected as the LAN Failover interface. Once you specify an interface as the LAN Failover interface, you cannot edit that interface in the Configuration > Interfaces panel.

–Active IP—Specifies the IP address for the failover interface on the active unit.

–Subnet Mask—Specifies the mask for the failover interface on the primary and secondary unit.

–Logical Name—Specifies the logical name of the interface that is used for failover communication.

–Standby IP—Specifies the IP address that the secondary unit uses to communicate with the primary unit.

–Preferred Role—Specifies whether the preferred role for this FWSM is as the primary or secondary unit in a LAN failover.

–Interface—Specifies the interface that is used for failover communication. Failover requires a dedicated interface, but you can use the same interface for Stateful Failover. The interface needs enough capacity to process both the LAN-based failover and Stateful Failover traffic. If you use the same interface for Stateful Failover that you are using for LAN-based failover, the Active IP, Subnet Mask, Logical Name, and Standby IP values do not need to be specified.

Note We recommend that you use two separate dedicated interfaces.

–Active IP—Specifies the IP address for the Stateful Failover interface on the primary unit.

–Subnet Mask—Specifies the mask for the Stateful Failover interfaces on the primary and secondary units.

–Logical Name—Specifies the logical interface used for failover communication.

–Standby IP—Specifies the IP address used by the secondary unit to communicate with the primary unit.

–Enable HTTP replication—Selecting this check box enables Stateful Failover to copy active HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link.

Modes

The following table shows the modes in which this feature is available:

Edit Failover Interface Configuration (Routed Firewall Mode)

Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.

Fields

•Interface Name—Identifies the interface name.

•Active IP Address—Identifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface.

•Subnet Mask—Identifies the mask for this interface. This field does not appear if an IP address has not been assigned to the interface.

•Standby IP Address—Specifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface.

•Monitor interface for failure—Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the FWSM is 250. Hello messages are exchanged between the FWSM failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

–Unknown—Initial status. This status can also mean that the status cannot be determined.

–Normal—The interface is receiving traffic.

–Testing—Hello messages are not heard on the interface for five poll times.

–Link Down—The interface is administratively down.

–No Link—The physical link for the interface is down.

–Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available:

Failover: Interfaces (Transparent Firewall Mode)

Use this tab to define the standby management IP address and to specify whether the status of the interfaces on the FWSM should be monitored.

Fields

•Interface—Lists the interfaces on the FWSM.

–Interface Name—Identifies the interface name.

–Is Monitored—Select this checkbox to specify that health of the interface is monitored for failover. Clear this checkbox if you do not want the status of the interface to affect failover.

The number of interfaces that can be monitored for the FWSM is 250. Hello messages are exchanged between the FWSM failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean that the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

•Bridge Group—Lists the bridge groups that are defined on the FWSM. This list only appears for FWSM units or contexts in transparent mode.

–Bridge Group—Identifies the bridge group name for the FWSM or context in transparent firewall mode.

Failover: Criteria

Use this tab to define criteria for failover, such as how many interfaces must fail and how long to wait between polls. The hold time specifies the interval to wait without receiving a response to a poll before unit failover.

Fields

•Interface Policy—Contains the fields for defining the policy for failover when monitoring detects an interface failure.

–Number of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the value that you set with this command, then the FWSM fails over. The range is between 1 and 250 failures.

–Percentage of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the percentage that you set with this command, then the FWSM fails over.

•Failover Poll Times—Contains the fields for defining how often hello messages are sent on the failover link and, optionally, how long to wait before testing the peer for failure if no hello messages are received.

–Unit Failover—The amount of time between hello messages among units. The range is between 1 and 15 seconds or between 500 and 999 milliseconds (ms.).

–Unit Hold Time—Sets the time during which a unit must receive a hello message on the failover link, or else the unit begins the testing process for peer failure. The range is between 3 and 45 seconds. You cannot enter a value that is less than 3 times the polltime.

–Monitored Interfaces—The amount of time between polls among interfaces. The range is between 3 and 15 seconds.

•Preempt—Check this checkbox to enable failover preemption. Failover preemption causes the primary unit to become the active unit automatically after rebooting or recovering from a failover condition. If this checkbox is not checked, then a primary unit that boots while the secondary unit is active or that recovers from a failed state will stay in the standby state until either a failover occurs or you force it to become active.

–with optional delay of—Specifies the number of seconds that the primary unit should wait after rebooting before taking over as the active unit. The range is between 1 and 1200 seconds. Leave this field blank to configure no delay.

Modes

The following table shows the modes in which this feature is available:

Edit Failover Interface Configuration

Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.

Fields

•Interface Name—Identifies the interface name.

•Active IP Address—Identifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface.

•Subnet Mask—Identifies the mask for this interface. This field does not appear if an IP address has not been assigned to the interface.

•Standby IP Address—Specifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface.

•Monitor interface for failure—Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the FWSM is 250. Hello messages are exchanged between the FWSM failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

–Unknown—Initial status. This status can also mean that the status cannot be determined.

–Normal—The interface is receiving traffic.

–Testing—Hello messages are not heard on the interface for five poll times.

–Link Down—The interface is administratively down.

–No Link—The physical link for the interface is down.

–Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available:

Failover—Transparent

Use this panel to define the standby IP address for the management interface for the security context and to specify whether the status of the interfaces on the security context should be monitored.

Fields

•Interface—Lists the interfaces on the FWSM.

–Interface Name—Identifies the interface name.

–Is Monitored—Select this checkbox to specify that health of the interface is monitored for failover. Clear this checkbox if you do not want the status of the interface to affect failover.

The number of interfaces that can be monitored for the FWSM is 250. Hello messages are exchanged between the FWSM failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean that the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

•Bridge Group—Lists the bridge groups that are defined on the FWSM. This list only appears for FWSM units or contexts in transparent mode.

–Bridge Group—Identifies the bridge group name for the FWSM or context in transparent firewall mode.

Edit Failover Interface Configuration

Use the Edit Failover Interface Configuration dialog box to specify whether the status of the interface should be monitored.

Fields

•Interface Name—Identifies the interface name.

•Monitor interface for failure—Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the FWSM is 250. Hello messages are exchanged between the FWSM failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

–Unknown—Initial status. This status can also mean that the status cannot be determined.

–Normal—The interface is receiving traffic.

–Testing—Hello messages are not heard on the interface for five poll times.

–Link Down—The interface is administratively down.

–No Link—The physical link for the interface is down.

–Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available:

Failover—Multiple

This panel includes tabs for configuring the system-level failover settings in the system context of a FWSM in multiple context mode. In multiple mode, you can configure Active/Standby or Active/Active failover. Active/Active failover is automatically enabled when you create failover groups in the device manager. For both types of failover, you need to provide system-level failover settings in the system context, and context-level failover settings in the individual security contexts. For more information about configuring failover in general, see Understanding Failover.

Note The speed and duplex settings for an interface cannot be changed when Failover is enabled. To change these settings for the failover interface, you must configure them in the Configuration > Interfaces panel before enabling failover.

–Interface—Specifies the interface that is used for failover communication. Failover requires a dedicated interface, but you can use the same interface for Stateful Failover. The interface needs enough capacity to process both the LAN-based failover and Stateful Failover traffic.

Note We recommend that you use two separate dedicated interfaces.

Only unconfigured interfaces or subinterfaces that have not been assigned to a context are displayed in this list and can be selected as the LAN Failover interface. Once you specify an interface as the LAN Failover interface, you cannot edit that interface in the Configuration > Interfaces panel or assign that interface to a context.

–Active IP—Specifies the IP address for the failover interface on the active unit.

–Subnet Mask—Specifies the mask for the failover interface on the active unit.

–Logical Name—Specifies the logical name for the failover interface.

–Standby IP—Specifies the IP address of the standby unit.

–Preferred Role—Specifies whether the preferred role for this FWSM is as the primary or secondary unit in a LAN failover.

–Interface—Specifies the interface that is used for failover communication. Failover requires a dedicated interface, but you can use the same interface for Stateful Failover. The interface needs enough capacity to process both the LAN-based failover and Stateful Failover traffic. If you use the same interface for Stateful Failover that you are using for LAN-based failover, the Active IP, Subnet Mask, Logical Name, and Standby IP values do not need to be specified.

Note We recommend that you use two separate dedicated interfaces.

–Active IP—Specifies the IP address for the Stateful Failover interface on the active unit.

–Subnet Mask—Specifies the mask for the Stateful Failover interface on the active unit.

–Logical Name—Specifies the logical name for the Stateful Failover interface.

–Standby IP—Specifies the IP address of the standby unit.

–Enable HTTP replication—Selecting this check box enables Stateful Failover to copy active HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link.

Modes

The following table shows the modes in which this feature is available:

Failover > Criteria Tab

Use this tab to define criteria for failover, such as how many interfaces must fail and how long to wait between polls. The hold time specifies the interval to wait without receiving a response to a poll before unit failover.

Note If you are configuring Active/Active failover, you do not use this tab to define the interface policy; instead, you define the interface policy for each failover group using the Failover > Active/Active Tab. With Active/Active failover, the interface policy settings that are defined for each failover group override the settings on this tab. If you disable Active/Active failover, then the settings on this tab are used.

Fields

•Interface Policy—Contains the fields for defining the policy for failover when monitoring detects an interface failure.

–Number of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the value that you set with this command, then the FWSM fails over. The range is between 1 and 250 failures.

–Percentage of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the percentage that you set with this command, then the FWSM fails over.

•Failover Poll Times—Contains the fields for defining how often hello messages are sent on the failover link and, optionally, how long to wait before testing the peer for failure if no hello messages are received.

–Unit Failover—The amount of time between hello messages among units. The range is between 1 and 15 seconds or between 500 and 999 ms.

–Unit Hold Time—Sets the time during which a unit must receive a hello message on the failover link, or else the unit begins the testing process for peer failure. The range is between 3 and 45 seconds. You cannot enter a value that is less than 3 times the polltime.

–Monitored Interfaces—The amount of time between polls among interfaces. The range is between 3 and 15 seconds.

•Preempt—Check this checkbox to enable failover preemption. Failover preemption causes the primary unit to become the active unit automatically after rebooting or recovering from a failover condition. If this checkbox is not checked, then a primary unit that boots while the secondary unit is active or that recovers from a failed state will stay in the standby state until either a failover occurs or you force it to become active.

–with optional delay of—Specifies the number of seconds that the primary unit should wait after rebooting before taking over as the active unit. The range is between 1 and 1200 seconds. Leave this field blank to configure no delay.

Modes

The following table shows the modes in which this feature is available:

Failover > Active/Active Tab

Use this tab to enable Active/Active failover on the FWSM by defining failover groups. In an Active/Active failover configuration, both FWSMs pass network traffic. Active/Active failover is only available to FWSMs in multiple mode.

A failover group is simply a logical group of security contexts. You can create two failover groups on the FWSM. You must create the failover groups on the active unit in the failover pair. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.

Note When configuring Active/Active failover, make sure that the combined traffic for both units is within the capacity of each unit.

Fields

•Failover Groups—Lists the failover groups that are currently defined on the FWSM.

–Group Number—Specifies the failover group number. This number is used when assigning contexts to failover groups.

–Preferred Role—Specifies the unit in the failover pair, primary or secondary, on which the failover group appears in the active state when both units start up simultaneously or when the preempt option is checked. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.

–Preempt Enabled—Specifies whether the unit that is the preferred failover device for this failover group should become the active unit after rebooting.

–Preempt Delay—Specifies the number of seconds that the preferred failover device should wait after rebooting before taking over as the active unit for this failover group. The range is between 0 and 1200 seconds.

–Interface Policy—Specifies either the number of monitored interface failures or the percentage of failures that are allowed before the group fails over. The range is between 1 and 250 failures or 1 and 100 percent.

–Interface Poll Time—Specifies the amount of time between polls among interfaces. The range is between 3 and 15 seconds.

–Replicate HTTP—Identifies whether Stateful Failover should copy active HTTP sessions to the standby firewall for this failover group. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab.

•Add button—Displays the Add Failover Group dialog box. This button is only enabled if less than two failover groups exist. See Add/Edit Failover Group for more information.

•Edit button—Displays the Edit Failover Group dialog box for the selected failover group. See Add/Edit Failover Group for more information.

•Delete button—Removes the currently selected failover group from the failover groups table. This button is only enabled if the last failover group in the list is selected.

Modes

The following table shows the modes in which this feature is available:

Add/Edit Failover Group

Use the Add/Edit Failover Group dialog box to define failover groups for an Active/Active failover configuration.

Fields

•Preferred Role—Specifies the unit in the failover pair, primary or secondary, on which the failover group appears in the active state. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.

•Preempt after booting with optional delay of—Selecting this check box causes the unit that is the preferred failover device for a failover group to become the active unit after rebooting. Selecting this check box also enables the Preempt after booting with optional delay of box in which you can specify a period of time that the device should wait before becoming the active unit.

•Preempt after booting with optional delay of—Specifies the number of seconds that a unit should wait after rebooting before taking over as the active unit for any failover groups for which it is the preferred failover device. The range is between 0 and 1200 seconds.

•Interface Policy—Contains the fields for defining the policy for failover when monitoring detects an interface failure. These settings override any interface policy settings on the Criteria tab.

–Number of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the value that you set with this command, then the FWSM fails over. The range is between 1 and 250 failures.

–Percentage of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the percentage that you set with this command, then the FWSM fails over.

•Poll time interval for monitored interfaces—The amount of time between polls among interfaces. The range is between 3 and 15 seconds.

•Enable HTTP replication—Selecting this check box enables Stateful Failover to copy active HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab.

Modes

The following table shows the modes in which this feature is available: